X.509 certificate handling. More...
#include "ike/ike.h"#include "ike/ike_certificate.h"#include "ike/ike_payload_parse.h"#include "encoding/asn1.h"#include "encoding/oid.h"#include "pkix/pem_import.h"#include "pkix/x509_cert_parse.h"#include "pkix/x509_cert_validate.h"#include "debug.h"Go to the source code of this file.
Macros | |
| #define | TRACE_LEVEL IKE_TRACE_LEVEL |
Functions | |
| error_t | ikeGetCertificateType (const X509CertInfo *certInfo, IkeCertType *certType) |
| Retrieve the certificate type. More... | |
| error_t | ikeGetCertSubjectDn (const char_t *cert, size_t certLen, uint8_t *subjectDn, size_t *subjectDnLen) |
| Extract subject's DN from certificate. More... | |
| error_t | ikeFormatCertAuthorities (const char_t *trustedCaList, size_t trustedCaListLen, uint8_t *certAuth, size_t *certAuthLen) |
| Format list of acceptable certification authorities. More... | |
| bool_t | ikeIsDuplicateCa (const uint8_t *certAuth, size_t certAuthLen, const uint8_t *digest) |
| Test whether the provided SHA-1 digest value is a duplicate. More... | |
| error_t | ikeParseCertificateChain (IkeSaEntry *sa, IpsecPadEntry *padEntry, const uint8_t *message, size_t length) |
| Parse certificate chain. More... | |
| error_t | ikeValidateCertificate (IkeSaEntry *sa, IpsecPadEntry *padEntry, const X509CertInfo *certInfo, uint_t pathLen) |
| Verify certificate against root CAs. More... | |
| error_t | ikeCheckKeyUsage (const X509CertInfo *certInfo) |
| Check certificate key usage. More... | |
Detailed Description
X.509 certificate handling.
License
SPDX-License-Identifier: GPL-2.0-or-later
Copyright (C) 2022-2024 Oryx Embedded SARL. All rights reserved.
This file is part of CycloneIPSEC Open.
This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
- Version
- 2.4.4
Definition in file ike_certificate.c.
Macro Definition Documentation
◆ TRACE_LEVEL
| #define TRACE_LEVEL IKE_TRACE_LEVEL |
Definition at line 32 of file ike_certificate.c.
Function Documentation
◆ ikeCheckKeyUsage()
| error_t ikeCheckKeyUsage | ( | const X509CertInfo * | certInfo | ) |
Check certificate key usage.
- Parameters
-
[in] certInfo Pointer to the X.509 certificate
- Returns
- Error code
Definition at line 811 of file ike_certificate.c.
◆ ikeFormatCertAuthorities()
| error_t ikeFormatCertAuthorities | ( | const char_t * | trustedCaList, |
| size_t | trustedCaListLen, | ||
| uint8_t * | certAuth, | ||
| size_t * | certAuthLen | ||
| ) |
Format list of acceptable certification authorities.
- Parameters
-
[in] trustedCaList List of trusted CA (PEM format) [in] trustedCaListLen Total length of the list [out] certAuth List of SHA-1 hashes of the public keys of trusted CAs [in,out] certAuthLen Actual length of the list, in bytes
- Returns
- Error code
Definition at line 287 of file ike_certificate.c.
◆ ikeGetCertificateType()
| error_t ikeGetCertificateType | ( | const X509CertInfo * | certInfo, |
| IkeCertType * | certType | ||
| ) |
Retrieve the certificate type.
- Parameters
-
[in] certInfo X.509 certificate [out] certType Certificate type
- Returns
- Error code
Definition at line 56 of file ike_certificate.c.
◆ ikeGetCertSubjectDn()
| error_t ikeGetCertSubjectDn | ( | const char_t * | cert, |
| size_t | certLen, | ||
| uint8_t * | subjectDn, | ||
| size_t * | subjectDnLen | ||
| ) |
Extract subject's DN from certificate.
- Parameters
-
[in] cert Certificate (PEM format) [in] certLen Length of the certificate [out] subjectDn Buffer where to copy the X.500 distinguished name [out] subjectDnLen Length of the X.500 distinguished name
- Returns
- Error code
Definition at line 205 of file ike_certificate.c.
◆ ikeIsDuplicateCa()
| bool_t ikeIsDuplicateCa | ( | const uint8_t * | certAuth, |
| size_t | certAuthLen, | ||
| const uint8_t * | digest | ||
| ) |
Test whether the provided SHA-1 digest value is a duplicate.
- Parameters
-
[in] certAuth List of SHA-1 hashes of the public keys of trusted CAs [in] certAuthLen Length of the list, in bytes [in] digest SHA-1 digest to be checked for duplicate value
- Returns
- TRUE if the SHA-1 digest value is a duplicate, else FALSE
Definition at line 410 of file ike_certificate.c.
◆ ikeParseCertificateChain()
| error_t ikeParseCertificateChain | ( | IkeSaEntry * | sa, |
| IpsecPadEntry * | padEntry, | ||
| const uint8_t * | message, | ||
| size_t | length | ||
| ) |
Parse certificate chain.
- Parameters
-
[in] sa Pointer to the IKE SA [in] padEntry Pointer to the PAD entry [in] message Pointer to the received IKE message [in] length Length of the IKE message, in bytes
- Returns
- Error code
Definition at line 445 of file ike_certificate.c.
◆ ikeValidateCertificate()
| error_t ikeValidateCertificate | ( | IkeSaEntry * | sa, |
| IpsecPadEntry * | padEntry, | ||
| const X509CertInfo * | certInfo, | ||
| uint_t | pathLen | ||
| ) |
Verify certificate against root CAs.
- Parameters
-
[in] sa Pointer to the IKE SA [in] padEntry Pointer to the PAD entry [in] certInfo X.509 certificate to be verified [in] pathLen Certificate path length
- Returns
- Error code
Definition at line 654 of file ike_certificate.c.